SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

INTERNET STORM CENTER TECH CORNER

Looking for some specific ways to get started using Splunk? We can help. We have a step-by-step online experience to walk you through how to use login activity and Splunk to detect, validate and scope threats in your environment.

TOP OF THE NEWS

More Databases Targeted By Ransomware Attacks (January 19, 2017)

Ransomware groups that have targeted MongoDB databases and Elasticsearch clusters are expanding their scope to include Hadoop and CouchDB data storage technologies. The Hadoop attacks are leaving behind messages telling admins to do a better job of securing their deployments. The CouchDB attacks have been demanding 0.1 bitcoins to return the data. Paying the ransom is unadvisable because previous attacks have not returned the wiped data.

[Editor Comments ]

[Paller ] For more than five years, widely used web content management systems (WordPress, et al.) have offered fertile gardens of vulnerable code for attackers to use to take control of many organizations' computers. Now the attackers have found that data storage systems are ripe for exploitation. There is an easy-to-discern pattern here of entrepreneurial organizations (open source included) attracting huge numbers but putting off security until it is too late to bake it in.

Oracle's Mammoth Security Update (January 18, 2017)

Oracle's first quarterly security patch update for 2017 comprises fixes for 270 vulnerabilities. The majority of the flaws are remotely exploitable. Oracle's E-Business Suite tops the list with 121 fixes, followed by 37 in Oracle Financial Services, and 18 in Oracle Fusion Middleware.

[Editor Comments ]

[Pescatore ] Unfortunately, this is really just an average-sized set of vulnerability fixes for Oracle, with no sign of any trending in a positive direction. The volume and the impact of Oracle's patch dumps, combined with demands for reduced duration of change windows in data centers, often leads to looong times before IT operations actually update servers. A number of forward looking enterprises are using IaaS services like AWS or Azure to spin up full production copies of systems (with obfuscated data) to shorten patch testing cycles and shorten that vulnerability window.

Brian Krebs has traced the origin of the Mirai botnet, which was used to launch massive distributed denial-of-service (DDoS) attacks against his website last September, to the New Jersey owner of a DDoS mitigation company. The attacks forced the KrebsOnSecurity website offline for several days. Mirai exploits poorly secured Internet of Things (IoT) devices to launch its attacks.

3) SANS 2017 SOC Survey is NOW OPEN - It takes a village to protect today's networks from cyber threats. Tell us how your organization is accomplishing these tasks and enter to win a $400 Amazon gift card! Survey link: http://www.sans.org/info/191652

THE REST OF THE WEEK'S NEWS

U.S. Air Force's Prattle Would Take Honeypots to the Next Level (January 19, 2017)

The U.S. Air Force's Prattle program aims to "transform... the traditional 'honeypot' method of catching hackers." Rather than simply disguising a honeypot as a network that hackers will try to access, Prattle will provide misinformation that could lead intruders to unimportant parts of the network, delaying them from getting to the sensitive data. They could also provide documents that are fake or that contain digital watermarks.

Scientists, librarians, archivists, and hackers have been working feverishly to preserve climate change data stored on the websites of the Environmental Protection Agency (EPA) and the National Oceanic and Atmospheric Administration (NOAA). The incoming U.S. administration is likely to remove much of the information from the public domain.

Malwarebytes researchers have found code on Macs that appears to target biomedical research companies. Dubbed Quimitchin by Malwarebytes and Fruitfly by Apple, the malware appears to have been infecting machines for at least two years. What is particularly curious about Fruitfly is that is contains very old coding functions. It is also built with Linux shell commands. Fruitfly takes screenshots and webcam images and harvests information about devices connected to the infected computer. Apple has released a fix to protect against Fruitfly infections; the update will be automatically downloaded.

Sweden is testing a system that would interrupt car radios when ambulances are nearby and need to get past. The system, which operates over an FM radio signal, also sends a message to the radio display. The ambulance alert system will give drivers more time to move out of the ambulance's path.

Triano Williams, a former IT administrator at the American College of Education, changed the administrator password on a Google account used by the college before leaving his position. The affected account held email and course material for more than 2,000 students. When the school contacted Google to regain access to the account, they were told the account could be recovered only by the owner, in this case, Williams. When the school contacted Williams, he filed a complaint seeking "a clean letter of reference and payment of $200,000" in exchange for helping recover the account password. The school filed a suit against Williams, which resulted in a default judgment of nearly USD 250,000.

[Editor Comments ]

[Williams ] I keep hearing this reported as an extortion story, but that's missing the point. In this case, the school allowed the admin to build critical services on an account he owned. In my practice I've seen this more than once with Dropbox and more recently with Amazon Web Services. This is really an extension of BYOD where the organization does not clearly delineate between its assets and those of its employees. Organizations should use the momentum (hopefully) created by this story to audit accounts used for business processes (correcting issues where required).

[Honan ] This is a good example as to why you need to have a policy in place with employees to ensure that any social media accounts or accounts used to access third party services and any associated data are the property of the organisation and not the employee.

A team of experts and researchers from New York University's Tandon School of Engineering and University of Michigan's Transport Research Institute have developed a protocol that will allow code embedded in vehicle components to be remotely updated. Some major car manufacturers have already implemented systems to update and fix vehicle software over Wi-Fi or cellular connections.

[Editor Comments ]

[Pescatore ] The technical issues around confidentiality/integrity/availability of any over-the-air update protocol are really important. Decisions about what is an acceptable "update" are equally important from a security perspective and from other issues - like fraud. We know mixing new features with vulnerability fixes is a bad idea, but in the consumer industry that has been the norm. We know at least 2 large car manufactures have routinely included software in their products to cheat on emission tests - over the air updates could enable more of that. The auto industry (or if not those companies, their regulators) needs to define standards of practice around OTA updates.

[Honan ] Why does the phrase "what could possibly go wrong" come to mind when I see the phrase "will allow code embedded in vehicle components to be remotely updated"? I sincerely hope the protocol being developed includes security measures to prevent this from being abused.

[Northcutt ] Its not new, but the Wired Magazine story says it best. I am seriously considering an old school pony car with points and condensers:

Webmaster Used Backdoor to Steal Data (January 17 & 18, 2017)

A webmaster in the Netherlands built backdoors into sites he created and used the access to steal site visitors' personal data. Dutch police are warning 20,000 people that their email accounts were compromised. The data thief used the information to make purchases, open online accounts, and receive fraudulent money transfers.

[Editor Comments ]

[Williams ] The unfortunate reality is that while theft is relatively uncommon, backdoors are extremely common. A relatively simple audit can uncover issues before code is deployed.

US-CERT is recommending that Windows admins take steps to protect their systems from a possible zero-day exploit targeting a vulnerability in Windows Server Message Block (SMB). Admins are advised to disable SMB v. 1 and block SMB traffic at the network boundary. The US-CERT advisory notes "that disabling or blocking SMB may create problems by obstructing access to shared files, data or devices. The benefits of mitigation should be weighted against potential disruptions to users."

Access Tokens and API Keys Found in Android Apps (January 17, 2017)

Researchers examined thousands of Android apps and found that some contained embedded access tokens and API keys. Of the 16,000 apps analyzed, 2,500 were found to contain hard-coded secret credentials. Roughly 300 of the apps contained credentials for sensitive accounts, including Twitter, Dropbox, Flickr, and Amazon Web Services.